Supply chain
Definitions A supply chain Overview It starts with the unprocessed raw materials and ends with the final customer using the finished goods. "Products and services in the domestic and international supply chain include hardware, software, and firmware components for systems, data management services, telecommunications service providers, and Internet service providers. Domestic and international supply chains are becoming increasingly important to the national and economic security interests of the United States because of the growing dependence on products and services produced or maintained in worldwide markets. Risks Potential attacks through subversion of hardware or software supply chains can be viewed as another type of insider threat. Access through a hardware supply chain may require development and manufacture of a subverted version of a microelectronic component and a complicated operation to insert the device into the targeted computer, possibly through use of insiders in the supply chain. A software supply chain attack might involve, for example, a subversion embedded in lower-level system software not likely to be evaluated during testing. Another approach is to subvert the master copy of software used for broad distribution, which hackers recently attempted to do with a mainstream operating system. Even if software is tested, subversions may be difficult to detect since they would typically be revealed only under circumstances difficult for a defender to discover. Supply chain threats are present at various phases of a system's development life cycle and could create an unacceptable risk to federal agencies. Key supply chain-related threats include: * installation of intentionally harmful hardware or software (i.e., containing "malicious logic"); * installation of counterfeit hardware or software; * failure or disruption in the production or distribution of critical products; * reliance on malicious or unqualified service providers for the performance of technical services; and * installation of hardware or software containing unintentional vulnerabilities, such as defective code.IT Supply Chain: Additional Efforts Needed by National Security-Related Agencies to Address Risks, Highlights. These threats can have a range of impacts, including allowing attackers to take control of systems or decreasing the availability of critical materials needed to develop systems. These threats can be introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain. Control systems Uncertainty in the supply chain and the growing sophistication and diversity of international cyber threats increase the potential for a range of adverse effects on organizational operations and assets, individuals, other organizations, and the nation. Global commercial supply chains provide adversaries with opportunities to manipulate control system technology products that are routinely used by public and private sector organizations (e.g., suppliers, contractors) in the control systems that support U.S. critical infrastructure applications. Malicious activity at any point in the supply chain poses downstream risks to the mission/business processes that are supported by those control systems. To mitigate risk from the supply chain, a comprehensive security strategy should be considered that employs a strategic, organization-wide defense-in-breadth approach. A defense-in-breadth approach helps to protect control systems (including the technology products that compose those systems) throughout the System Development Life Cycle (i.e., during design and development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). The identification, management, and elimination of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to mitigate risk are important components of a successful defense-in-breadth approach. References Source * "Control systems" section: Catalog of Control Systems Security: Recommendations for Standards Developers, at 31. Category:Business Category:Security Category:Definition